← Back
2026-03-26 13:36CVE-2026-33413GitHub_M
PUBLISHED5.2CWE-862

etcd: Authorization bypasses in multiple APIs

etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or partially trusted clients. In unpatched etcd clusters with etcd auth enabled, unauthorized users are able to call MemberList and learn cluster topology, including member IDs and advertised endpoints; call Alarm, which can be abused for operational disruption or denial of service; use Lease APIs, interfering with TTL-based keys and lease ownership; and/or trigger compaction, permanently removing historical revisions and disrupting watch, audit, and recovery workflows. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network access to etcd server ports so only trusted components can connect and/or require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution.

Problem type

Affected products

etcd-io

etcd

>= 3.6.0-alpha.0, < 3.6.9 - AFFECTED

>= 3.5.0-alpha.0, < 3.5.28 - AFFECTED

< 3.4.42 - AFFECTED

References

https://github.com/etcd-io/etcd/security/advisories/GHSA-q8m4-xhhv-38mg

https://github.com/etcd-io/etcd/security/advisories/GHSA-q8m4-xhhv-38mg

x_refsource_CONFIRM

GitHub Security Advisories

GHSA-q8m4-xhhv-38mg

etcd: Authorization bypasses in multiple APIs

https://github.com/advisories/GHSA-q8m4-xhhv-38mg

Impact

What kind of vulnerability is it? Who is impacted?

Multiple vulnerabilities allow unauthorized users to bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or partially trusted clients.

In unpatched etcd clusters with etcd auth enabled, unauthorized users are able to:

  • call MemberList and learn cluster topology, including member IDs and advertised endpoints
  • call Alarm, which can be abused for operational disruption or denial of service
  • use Lease APIs, interfering with TTL-based keys and lease ownership
  • trigger compaction, permanently removing historical revisions and disrupting watch, audit, and recovery workflows

Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected.

Patches

Has the problem been patched? What versions should users upgrade to?

These vulnerabilities are patched in the following versions:

  • etcd 3.6.9
  • etcd 3.5.28
  • etcd 3.4.42

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice.

  • restrict network access to etcd server ports so only trusted components can connect
  • require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution

Reporters

Community efforts help keep etcd secure

The etcd community thanks Isaac David, bugbunny.ai, Asim Viladi Oglu Manizada, Alex Schapiro & Ahmed Allam from Strix security, Luke Francis, and @OLU-DEVX for reporting these vulnerabilities.

Dependency Between Reported Issues

These issues all originate from the same underlying flaw in the gRPC API layer.

They affect the same API surface and share a common root cause. In practice, the fix is implemented as a single, unified change at the API layer, which resolves all issues together.

Given this, we believe these issues are best treated as a single vulnerability and should be assigned a single CVE.

github.com

https://github.com/etcd-io/etcd/security/advisories/GHSA-q8m4-xhhv-38mg

github.com

https://github.com/advisories/GHSA-q8m4-xhhv-38mg

From Hacker News

CVE-2026-33413 found in ETCD by open source AI agent (strix.ai), 8.8 CVSShttps://www.wiz.io/vulnerability-database/cve/cve-2026-33413
1 points | bearsyankees | 2026-03-24T15:47:35Z | 0 comments

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-33413
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-33413",
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "dateUpdated": "2026-03-26T18:51:42.935Z",
    "dateReserved": "2026-03-19T17:02:34.171Z",
    "datePublished": "2026-03-26T13:36:10.919Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M",
        "dateUpdated": "2026-03-26T13:36:10.919Z"
      },
      "title": "etcd: Authorization bypasses in multiple APIs",
      "descriptions": [
        {
          "lang": "en",
          "value": "etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or partially trusted clients. In unpatched etcd clusters with etcd auth enabled, unauthorized users are able to call MemberList and learn cluster topology, including member IDs and advertised endpoints; call Alarm, which can be abused for operational disruption or denial of service; use Lease APIs, interfering with TTL-based keys and lease ownership; and/or trigger compaction, permanently removing historical revisions and disrupting watch, audit, and recovery workflows. Kubernetes does not rely on etcd’s built-in authentication and authorization. Instead, the API server handles authentication and authorization itself, so typical Kubernetes deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9 contain a patch. If upgrading is not immediately possible, reduce exposure by treating the affected RPCs as unauthenticated in practice. Restrict network access to etcd server ports so only trusted components can connect and/or require strong client identity at the transport layer, such as mTLS with tightly scoped client certificate distribution."
        }
      ],
      "affected": [
        {
          "vendor": "etcd-io",
          "product": "etcd",
          "versions": [
            {
              "version": ">= 3.6.0-alpha.0, < 3.6.9",
              "status": "affected"
            },
            {
              "version": ">= 3.5.0-alpha.0, < 3.5.28",
              "status": "affected"
            },
            {
              "version": "< 3.4.42",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-862: Missing Authorization",
              "cweId": "CWE-862",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-q8m4-xhhv-38mg",
          "name": "https://github.com/etcd-io/etcd/security/advisories/GHSA-q8m4-xhhv-38mg",
          "tags": [
            "x_refsource_CONFIRM"
          ]
        }
      ],
      "metrics": [
        {}
      ]
    },
    "adp": [
      {
        "providerMetadata": {
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP",
          "dateUpdated": "2026-03-26T18:51:42.935Z"
        },
        "title": "CISA ADP Vulnrichment",
        "metrics": [
          {}
        ]
      }
    ]
  }
}